Re: allow guest_u to access screen

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2013-04-14 at 00:27 +0530, Lakshmipathi.G wrote:
> Hi -
> 
> I'm trying to allow guest_u user to execute 'screen' command. When
> guest_u executes screen ,access gets denied, 
> but I can't find any logs under /var/log/audit/audit.log . If SElinux
> disabled, guest_u can properly execute screen command.
> 
> # grep screen /var/log/audit/audit.log | audit2allow -M screen
> Nothing to do
> 
> How to provide screen command access to guest_u in a safe manner ?
> Such a policy open up any other security issues? 
> Thanks for any pointers/help.
> 

guest-t is supposed to be a minimal ssh login user and so by default the
use of screen is no supported.

To allow should be easy:

mkdir myguest; cd myguest
cat > myguest.te << EOF
policy_module(myguest, 1.0.0)
optional_policy(`
gen_require(` type guest_t; role guest_r; ')
screen_role_template(guest, guest_r, guest_t)
')
EOF

make -f /usr/share/selinux/devel/Makefile myguest.pp
sudo semodule -i myguest.pp

This will allow guest_t to run screen in the guest_screen_t domain.
You will probably want to relogin and run restorecon -R -v -F
~/.screenrc


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux